We spent a couple of hours looking into it. And then a couple hours looking into the WordPress security notification system. Perhaps, I should say: non-notification system as to getting subscribed to a formal notification mailing list from the WordPress folks, proper
The WordPress model seems to be: treat your WordPress site as though it is a pet that needs daily feeding. And to be 'put down' when you lose interest in it, move on, or forget about it -- Oops. Log in daily as an administrator, and look for a notification
This of course RULES OUT using a packaged approach to managing such sites, as the lag for stabilizing a new RPM package, accounting for potential database changes, and the like 'take too long'. Just unroll a tarball, and trust that it will not break any local customizations
I see fourteen open tabs in my browser panel still open, related to trying to track down a central and formal notification feed that I (or any person seeking to get 'push' notification) might subscribe containing only 'Security' notifications. Weeding through the tabs, ...
- The 'Famous 5-Minute Install' for WordPress -- Nope, no useful outlink for hardening, nor to subscribe to notifications, beyond a pointer to a third-party Ubuntu appliance with an 'automatic security updates'. That appliance's page has pointers to a tool to enable taking database backups, adding PHPMyAdmin, and Webmin. Not good choices for a person caring about security
- Perhaps FAQ items tagged with: Security -- Nope, clearly incomplete, as for example a Google search turns up this third-party alert for version 3.3.2, but the Release Notice does not get titled with: Security
- This bug (#10253) lingered for three years with a Security tag in their Trac issue tracker as to the current release series (3.4), and was amended ten days ago; But the latest release (for 3.4.2) was twenty days ago when this is written. Should an update have been release? Who Knows?
- Perhaps their FAQ Security -- Nope, no push notification link suggested there, but lots of clutter as to copyright infringement notification handling, and miscellaneous topics
- Perhaps watch the Releases News in an RSS reader - Oops, no sub-tag feed offered, and there has not been an "Important" Security release since December 2010, if one used that approach
- Run a Google search daily, and look for third-party commendary - Nope, although nuggets may be found, for it is not viable as: Not Authoritative, irregular and partial as to updates, and wading through search engine hit, or RSS feed clutter will kill your productivity
A quick Google search for: turns up lots of vulnerable candidate installations, and a handy, dandy code fragment for parsing information out of potential victims so found, to automate take-overs. No criticism of the author of that code publishing his work; a knife can heal (as a scalpel), prepare dinner, or injure, depending on the intent of its holder
I see an official recovery outline suggestion, anyway